From badcfe1ada5f7f2ab0f28157813866d2167d1cf5 Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Sun, 15 Jan 2023 18:27:21 +0000 Subject: [PATCH] feat: generating firewall forwarding rules from individual machiene configs complete --- applications/firewall.nix | 10 +++++++++- machines/test01.nix | 20 +++++++++++++++----- machines/test02.nix | 6 +++--- 3 files changed, 27 insertions(+), 9 deletions(-) diff --git a/applications/firewall.nix b/applications/firewall.nix index 45a2bde..3bfdc63 100644 --- a/applications/firewall.nix +++ b/applications/firewall.nix @@ -16,6 +16,14 @@ A list of routes to forward ''; }; + # need to seperate it out as to not cause infinite loops + forward_parsed = lib.mkOption { + default = ""; + type = lib.types.str; + description = '' + A list of routes to forward joined as a single string + ''; + }; }; }; @@ -69,7 +77,7 @@ # ip saddr 193.1.99.123 tcp dport 443 counter packets 0 bytes 0 accept # can basically make each machiene responsibile for their own forwarding (in config at least) - ${lib.strings.concatMapStrings (x: x + "\n") config.skynet_firewall.forward} + ${config.skynet_firewall.forward_parsed} counter packets 0 bytes 0 reject with icmp type admin-prohibited } diff --git a/machines/test01.nix b/machines/test01.nix index d8c4a35..72ec209 100644 --- a/machines/test01.nix +++ b/machines/test01.nix @@ -1,8 +1,5 @@ -{ pkgs, ... }: - -{ +{ pkgs, lib, nodes, ... }: { imports = [ - # applications for this particular server ../applications/firewall.nix ]; @@ -14,6 +11,19 @@ }; # this server is teh firewall - skynet_firewall.enable = true; + skynet_firewall = { + enable = true; + + # gonna have to get all the + forward_parsed = + # merge together with a newline char + lib.strings.concatMapStrings (x: x + "\n") ( + # merge the lists together + builtins.concatLists ( + # using this function "(key: value: value.config.skynet_firewall.forward)" turn the values ointo a list + lib.attrsets.mapAttrsToList (key: value: value.config.skynet_firewall.forward) nodes + ) + ); + }; } diff --git a/machines/test02.nix b/machines/test02.nix index a03ef8c..9c9d312 100644 --- a/machines/test02.nix +++ b/machines/test02.nix @@ -1,8 +1,8 @@ -{ pkgs, ... }: +{ pkgs, ... }: { -{ imports = [ - + # import it in so the options are available + ../applications/firewall.nix ]; skynet_firewall.forward = [